FTC Privacy Law and Policy Page2019-10-15T14:30:10+00:00

D-Link Updates

The seal has been lifted on the complaint in the D-Link case. This document highlights the previously redacted portions in yellow.

Yesterday (April 3, 2017), D-Link filed a motion to dismiss that includes the initial hearing transcript.

March 25th, 2017|

The D-Word: Dignity

Several months after joining the Commission as director of consumer protection, David Vladeck gave an interview to the New York Times, in which he invoked the d-word – dignity – four times. In describing his role at the Commission, he said, “I think there’s a huge dignity interest wrapped up in having somebody looking at your financial records when they have no business doing that. I think there is a dignity interest that needs to be protected when someone’s looking at, maybe, your prescription medications that you’re getting online. I don’t think the harm model that the Commission has used at times really captures those injuries.”26

Supporters of the harm-based approach felt deeply threatened by the idea that the FTC would use dignity as a case selection factor. Harm supporters reacted hysterically, labeling Vladeck’s views emotional, questionable, vague, nontraditional, and subjective. They warned of expanding liability, of influence from foreign legal interests, and so on. In critiquing Vladeck, harms-based supporters almost always put dignity in quotes, as if it were some Germanism. Even commission officials tried to soften the interpretation of Vladeck’s use of the word “dignity.”27

Maintaining dignity is a main reason why people seek privacy. Consider the lock on the bathroom or bedroom door as mechanisms that protect non-economic interests in shielding the naked body from observation. The Commission has taken action in several cases where business practices enabled spying into the home and the capture of images of people within their homes. Such spying does not cause an obvious economic harm to people, yet most people would support having the government defend against such intrusions.

Why would the idea of dignity be so alien to privacy? And if dignity means the idea of protecting a person’s honor or worth, why would the business community be so threatened by it?

26 NEW YORK TIMES, AN INTERVIEW WITH DAVID VLADECK, August 5, 2009.
27 Thumbs Down to Notice-and-Choice at FTC, But Firm Rules Not Planned, 11(76) WARREN’S WASHINGTON INTERNET DAILY, April 11, 2010.

 

February 2nd, 2017|

On Kenneth Rogoff’s The Curse of Cash

Professor Kenneth Rogoff’s Curse of Cash convincingly argues that we pay a high price for our commitment to cash: Over a trillion dollars of it is circulating outside of US banks, enough for every American to be holding $4,200. Eighty percent of US currency is in hundred dollar bills, yet few of us actually carry large bills around (except perhaps in the Bay Area, where the ATMs do dispense 100s…). So where is all this money? Rogoff’s careful evidence gathering points to the hands of criminals and tax evaders. Perhaps more importantly, the availability of cash makes it impossible for central banks to pursue negative interest rate policies—because we can just hoard our money as cash and have an effective zero interest rate.

What to do about this? Rogoff does not argue for a cashless economy, but rather a less cash economy. Eliminate large bills, particularly the $100 (interesting fact–$1mm in 100s weighs just 22 pounds), and then moving large amounts of value around illegally becomes much more difficult. Proxies for cash are not very good—they are illiquid, heavy, or easily detectable. And what about Bitcoin?—not as anonymous as people think. Think Rogoff’s plan is impossible? Well, India Prime Minister Modi just implemented a version of it, eliminating the 500 and 1,000 rupee notes.

As you might imagine, Rogoff’s proposal angers many privacy advocates and libertarians. His well written, well informed, and well argued book deserves more than its 2 stars on Amazon.

My critique is a bit different from the discontents on Amazon. I think Rogoff’s proposal offers a good opportunity to think through what consumer protection in payments systems might look like in a less-cash world—this is a world I think we are entering. Yet, Rogoff’s discussion shows a real lack of engagement in the payments and especially the privacy literature. For Rogoff’s proposal to be taken seriously, we need to revamp payments to address the problems of fees, cybersecurity, consumer protection, and other pathologies that electronic payments exacerbate.

The Problem of Fees

One immediately apparent problem is that as much as cash contributes to crime and tax evasion, electronic payments contribute to waste as well, in different ways. The least obvious is the cartel-like fees imposed by electronic payments providers. All consumers—including cash users—subsidize the cost of electronic payments, and the price tag is massive. In the case of credit cards, fees can be as high as 3.5% of the transaction. I know from practice that startups’ business models are sometimes shaped around the problem of such fees. Fees may even be responsible for the absence of a viable micropayment system for online content.

Fees represent a hidden tax that a less-cash society will pay more of, unless users are transitioned to payment alternatives that draw directly from their bank accounts. Rogoff seems to implicitly assume that consumers will chose that alternative, but it is not clear to me that consumers perceive of the fee difference between standard credit card accounts and use of debit or ACH-linked systems. For many consumers, especially more affluent ones, the obvious choice is to choose a credit card, pay the balance monthly, and enjoy the perks. Rogoff’s policy then means more free perks for the rich that are subsidized by poorer consumers.

Taking Cybercrime Seriously

Here’s a more obvious crime problem—while Rogoff is quick to observe that cash means that cashiers will skim, there is less attention paid to the kinds of fraud that electronic payments enable. Electronic payment creates new planes of attack for different actors who are not in proximity to the victims. A cashier will skim a few dollars a night, but can be fired. Cybercriminals will bust out for much larger sums from safe havens elsewhere in the world.

The Problem of Impulsive Spending and Improvidence

Consumers also spend more when they use electronic payments. And so a less cash society means that you’ll have…less money! Cash itself is an abstract representation of value, but digital cash is both an abstraction and immaterial. One doesn’t feel the “sting” of parting with electronic cash. In fact, there is even a company making a device to simulate parting with cash to deter frivolous spending.

The Problem of Cyberattack

Rogoff imagines threats to electronic payment as power outages and the like. That’s just the beginning. There are cybercriminals who are economically motivated, but then there are those who just want to create instability or make a political statement. We should expect attacks on payments to affect confidentiality, integrity, and availability of services, and these attacks will come both from economically-motivated actors, to nation states, to terrorists simply wanting to put a thumb in the eye of commerce. The worst attacks will not be power-outage-like events, but rather attacks on integrity that undermine trust in the payment system.

Moving From Regulation Z to E

The consumer protection landscape tilts in the move from credit cards to debit and ACH. Credit cards are wonderful because the defaults protect consumers from fraud almost absolutely. ACH and debit payments place far more risk of loss onto the consumer, theoretically, more risk than even cash presents. For instance, if a business swindles a cash-paying customer, that customer only loses the cash actually transferred. In a debit transaction, the risk of loss is theoretically unlimited unless it is noticed by the consumer within 60 days. Many scammers operate today and make millions by effectuating small, unnoticed charges against consumers’ electronic accounts.

The Illiberal State; Strong Arm Robbery

Much of Rogoff’s argument depends on other assumptions, ones that we might not accept so willingly anymore. We currently live in a society committed to small-l liberal values. We have generally honest government officials. What if that were to change? In societies plagued with corruption and the need to bribe officials, mobile payments become a way to extract more money from the individual than she would ordinarily carry. Such systems make it impossible to hide how much money one has from officials or in a strong-arm robbery.

Paying Fast and Slow

Time matters and Rogoff is wrong about the relative speed of payment in a cash versus electronic transaction. Rogoff cites a 2008 study showing that debit and cash transactions take the same amount of time. This is a central issue for retailers and large ones such as Wal-Mart know to the second what is holding up a line, because these seconds literally add up to millions of dollars in lost sales. Retailers mindful of time kept credit card transaction quick, but with the advent of chip transactions, cash clearly is the quickest method of payment. It is quite aggravating to wait for so many people charging small purchases nowadays.

Mobile might change these dynamics–not not anytime soon. Bluetooth basically does not work. To use mobile payments safely one should keep their phone locked. So when you add up the time of 1) unlocking the phone, 2) finding the payment app, 3) futzing with it, and 4) waiting for the network to approve the transaction, cash is going to be quicker. These transaction costs could be lowered, but the winner is going to be the platform-provided approaches (Apple or Android) and not competitive apps.

Privacy 101

Privacy is a final area where Rogoff does not identify the literature or the issues involved. And this is too bad because electronic payments need not eliminate privacy. In fact, our current credit card system segments information such that it gives consumers some privacy: Merchants have problems identifying consumers because names are not unique and because some credit card networks prohibit retailers from using cardholder data for marketing. The credit card network is a kind of ISP and knows almost nothing about the transaction details. And the issuing and acquiring banks know how much was spent and where, but not the SKU-level data of purchases.

The problem is that almost all new electronic payments systems are designed to collect as much data as possible and to spread it around to everyone involved. This fact is hidden from the consumer, who might already falsely assume that there’s no privacy in credit transactions.

The privacy differential has real consequences for privacy that Rogoff never really contemplates or addresses. It ranges from customer profiling to the problem that you can never just buy a pack of gum without telling the retailer who you are. You indeed may have “nothing to hide” about your gum, but consider this—once the retailer identifies you, you have an “established business relationship” with that retailer. The retailer than has the legal and technical ability to send you spam, telemarketing calls, and even junk fax messages! This is why Jan Whittington and I characterized personal information transfers as “continuous” transactions—exchanges where payment doesn’t sever the link between the parties. Such continuous transactions have many more costs than the consumer can perceive.

Conclusion

Professor Rogoff’s book describes in detail how cash leads to enabling more crime, paying more taxes, and how it hobbles our government from implementing more aggressive monetary policy. But the problem is that the proposed remedy suffers from a series of pathologies that will increase costs to consumers in other ways, perhaps dramatically. So yes, there is a curse of cash, but there are dangerous and wasteful curses associated with electronic payment, particularly credit.

The critiques I write here are well established in the legal literature. Merely using the Google would have turned up the various problems explained here. And this makes me want to raise another point that is more general about academic economists. I have written elsewhere that economists’ disciplinarity is a serious problem, leading to scholarship out of touch with the realities of the very businesses that economists claim to study. I find surprisingly naive works by economists in privacy who seem immune to the idea that smart people exist outside the discipline and may have contemplated the same thoughts (often decades earlier). Making matters worse, the group agreement to observe disciplinary borders creates a kind of Dunning–Kruger effect, because peer review also misses relevant literature outside the discipline. Until academic economists look beyond the borders of their discipline, their work will always be a bit irrelevant, a bit out of step. And the industry will not correct these misperceptions because works such as these benefit banks’ policy goals.

November 16th, 2016|

On the “Coalition for Better Ads”

Behold the newest self-regulatory group, the “Coalition for Better Ads,” which claims that it will, “improve consumers’ experience with online advertising. The Coalition for Better Ads will leverage consumer insights and cross-industry expertise to develop and implement new global standards for online advertising that address consumer expectations.” How? They will:

  • Create consumer-based, data-driven standards that companies in the online advertising industry can use to improve the consumer ad experience

  • In conjunction with the IAB Tech Lab, develop and deploy technology to implement these standards

  • Encourage awareness of the standards among consumers and businesses in order to ensure wide uptake and elicit feedback

    The Coalition will draw upon consumer research in shaping the standards.

What are “better” ads? Certainly more secure ads would be welcome, in the sense that modern web advertising is not a billboard but rather code that can introduce insecurity. But what about privacy? Wouldn’t it make sense for ads to be more respectful of users privacy? How about advertisers’ use of data brokers to merge data online and off–something that NAI promised would not happen back in 2000?

These are dangerous questions to ask. So dangerous, that the fearless leaders of Facebook wouldn’t even ask them. Recall last month when Facebook announced it would circumvent ad blockers? Facebook’s Andrew Bosworth wrote:

For the past few years at Facebook we’ve worked to better understand people’s concerns with online ads. What we’ve heard is that people don’t like to see ads that are irrelevant to them or that disrupt or break their experience. People also want to have control over the kinds of ads they see.

Well, I think those conclusions are correct. Obviously no one wants disruptive ads–the emergence of the popup blocker is testimony to that. And if you are going to have advertising, you might as well have relevant ads. The elephant in the room is privacy–how did a company that tracks people on about 40% of the public web, intermediates the conversations, and tracks them physically not raise privacy issues? The answer is that Facebook didn’t ask about privacy.

Turning to the Coalition for Better Ads, it did not mention privacy anywhere in its discussion of ads. Nor did Pagefair in its 2015 study of ad blocking, nor did IAB’s primer on ad blocking. The closest that any ad group will get to the question appears to be Secret Media, which in a 2016 report wrote, “It is our hypothesis that advertising technologies are negatively impacting publisher websites and causing users to be frustrated by slow page load, tracking that exploits personal data, and the over exposure to ads.”

October 23rd, 2016|

Recent Tweets